My posse of heroines

I’m going to buck the trend and not name names on my post for Ada Lovelace Day 2009.  Instead I want to salute the women of the Ubuntu Women project for making participating in Ubuntu and in Open Source software in general just a little more supportive, friendly, and welcoming.  Unless one comes into our spaces to troll or harass, in which case the banhammers are swiftly dealt 🙂

Over the years (and it’s been years now!) I’ve hung out in #ubuntu-women on freenode, participated in the mailing list, and run into U-W participants at conferences around the world.  Through this, I’ve gained an invaluable support network, a place to vent to my peers, a great group of male allies (by which I mean guys who support the U-W project), and a bunch of fantastic friends.

Ada Lovelace Day is all about role models, and I couldn’t ask for a better bunch of women to look up to than the ones I hang out with every day in #ubuntu-women.  Thanks for all the great conversations, and let’s keep working hard on bug number 1!

I would be remiss to not mention my friend Behdad Esfahbod’s post for ALD, because he picked me to write about.  I’m delighted and honoured that he wrote about me. ETA: looks like Joey DeVilla and Karen Fung did too!


HackLabTO Ignite at DemoCampTO19

I gave my first Ignite talk last week at DemoCamp.  If you’re unfamiliar with the format, you have 20 slides which advance automatically every 15 seconds, giving you a total of 5 minutes to talk.  It’s a fun format, but I was amazed at how much more quickly those slides flashed by when I was in front of an audience than when I was practicing.

My slides were mostly photos, and I had notes co-ordinated with them.  I’ve put the presentation on Slideshare, but they don’t share presentation notes well, so I’ll include them here.  The bullets are numbered the same as the corresponding slides.  Read them really fast and you’ll get an accurate impression of how my talk went (at least until the video gets posted, ruh roh).  Slides and notes below the jump.

Continue reading “HackLabTO Ignite at DemoCampTO19”

Career talk at SpoofIT

I gave a talk a few weeks ago at SpoofIT, the IT Security club at UOIT.  I referred to a number of links and resources during the talk but haven’t had a chance until now to post a list of them.  I’ve also written up a little summary of the talk for those who missed it.  I owe a huge debt of inspiration to James Arlen’s talk at The Last Hope, which you can download at the hackermedia archive or on bittorrent at the HOPE tracker.  It’s the one titled “From Black Hat to Black Suit”.  He’s been doing this a lot longer than I have, so go watch his talk too 🙂
Continue reading “Career talk at SpoofIT”

Tweets? In /my/ Facebook?

It’s more likely than you think!

While some people are very frustrated by the occasional spamminess of Twitter -> Facebook posting, and others posit that Facebook will eventually kill Twitter because the “conversation moves there”, I just like being able to update both places at once and don’t really care to make predictions either way.

Instead I want to post a quick field guide to Twitter for Facebook users.  Not because they should particularly go ahead and sign up, but to make clearer what all the @this and #that’s crapping up their news feeds are.  Because they do tend to open dialogs and conversations, but can be confusing sometimes too – I definitely think about how something will work on my FB feed before posting to Twitter.

Continue reading “Tweets? In /my/ Facebook?”

25C3 Day 3

Paul and I turned in pretty early on Day 2 and managed to make the first talk on Day 3, though not without the assistance of Club Mate and Starbucks.  Day 3 was where things started to get really hairy in terms of being able to get into rooms to see the talks I wanted to see; I ended up missing the RFID talk I really wanted to see in favor of getting to the room for the Storm talk half an hour early.  But that’s what conference recordings are for, isn’t it!

As before, be sure to also check out Security4All’s post on Day 3 for a more Belgian perspective on things.

Continue reading “25C3 Day 3”

25C3 Day 2

Continuing on from my post from a couple of days ago, here are my notes from Day 2 of the 25th Chaos Communications Congress in Berlin.  I’ve been slow with getting these posted – Day 2 was December 28th.  Better late than never, right?

soviet unterzugedorf represent
A lighthearted moment from Soviet Unterzoegersdorf

As with the previous posts, for a different perspective and selection of talks I highly recommend checking out Security4All’s blog post about Day 2 as well.

Finally, if you’re particularly interested in anything I’ve written about, you should check out the official recordings here.  Most of the talks have been posted both as direct downloads and torrents.  I can’t even begin to say how amazing this is given that the conference is barely over.  From what I hear as well the live streams coming from the conference while it was running were also totally solid.

And now for the actual comments about this day’s talks!

Continue reading “25C3 Day 2”

25C3 Day 1

Finally sitting down at Paul’s laptop to write up some notes on the talks I’ve seen so far.  I’m going to break it up into days becaus eI’ve taken a lot of notes 🙂  Here goes, with comments in brackets:

Gadi Evron on Cyberwarfare

  • EU security operations / CERTs are not very organized
  • cyber warfare is mostly bull****

iPhone hacking

  • They’ve fully soft-unlocked the phone, but it’s been done in such a way that Apple can still fix it with a software update

Memory Forensics with the Cold Boot Attack

  • attack has been fully weaponized to USB keys (or functional iPods) and PXE boot
  • Jake has found a somewhat unrelated bug in Mac OSX’s which results in logged-in users’ passwords being stored in RAM; Apple is aware of the issue and not fixing it.  Same for FileVault keys [o_0]
  • Linux dm_crypt is vulnerable
  • loop_aes devs thought they weren’t vulnerable because of some key-shifting stuff they do, turns out it just means that they store twice the keydata 🙂
  • Co-author of USENIX paper Nadia wrote an awesome keyfinding tool which can grab keys from RAM even with something like 75% corruption
  • Bitlocker default / simple mode is totally pwned
  • Even with TPM in use Bitlocker is still vulnerable if precise timings are used

Dan Kaminsky – Why were we so vulnerable to the DNS vulnerability?

  • random person named Paul sitting beside me on the couch by the Go boards describes it as “+5 insightful”
  • My Paul is all excited that Dan is now publicly in favour of DNSSEC 🙂

dns pwnage

Edited to add:  For some additional perspectives on Day 1, have a look at my Belgian friend Security4All’s blog post, which has a different selection of talks.

My ideal Twitter client

Since the demise of Twitter’s Jabber server, I’ve been frustrated with pretty much every client I’ve tried.  And I’ve used a few:

  • twhirl – doesn’t stop scrolling up when it’s out of focus
  • twibble – random crappiness, memory leaks, poor recovery from posting failures
  • tweetdeck – doesn’t remember the groups you set up so if you accidentally close them you’re screwed, and also doesn’t work on 64-bit linux (same applies to twhirl – it’s an Adobe Air issue)
  • a couple of console clients, all just sort of generally crap.  Mainly frustrated by their inability to scroll backwards – I like being able to not look at twitter for a few hours without missing out on stuff 🙂

So here’s my ideal client.  I’m going to start writing it on Wednesday, once school’s done.

  • works with an irc client.  I ❤ irc, and I can keep it running on my shell server, accessible from anywhere.
  • search functionality: I want to be able to join a channel and have that act as the search term on summize / twitter search such that /join #search-25C3 shows me the results for this search in real(ish) time.
  • groups functionality (like tweetdeck) – I’d like to be able to set up groups of followees to see only their tweets.  There are a couple of reasons for this: wanting to have a “quiet” group containing just the people I care most about, avoiding what on LiveJournal is termed “unfriending drama”, grouping friends geographically, or whatever.  But it’s been sorely lacking in my Twitter experience so far.
  • keyword exclusion – if I don’t want to hear any more about #AnnoyingVendorCon, I want to be able to exclude it from the tweets I’m getting.
  • proper IRC direct message functionality: dm’s should show up as /msg windows.
  • following and unfollowing from within the client – this hasn’t worked properly in twibble for a while.

I’m going to start working off Mike Verdone’s existing Python Twitter Tools – should be a good start.

TD Canada Trust password policy fail

My browser was behaving strangely when I tried to log in to the TD Canada Trust online banking server, so just to be paranoid I decided to change my password using another machine.  I then realized that it was just me being dumb – my user agent was set to IE as I had been testing something earlier.  Oops!

However, it did all lead me to discover this gem epic failboat of a password policy:

When changing your password, please remember that it must be between 5 and 8 characters in length and should contain both letters and numbers. Special characters (e.g. #, &, @) must not be used as they will not be accepted by the system. Passwords consisting of all letters or all numbers are not recommended. Although TD Canada Trust does not require you to change your password, we recommend that for security purposes you change your password every 90 days.

Okay, wtf people.  5-8 characters seems awfully permissive, and doesn’t let me put in a nice long password… but not requiring numbers and letters?  Just recommending it?  And their system doesn’t support punctuation in passwords?  Yeesh.

It gets worse.  I decided to play around with it, and was able to change my password to the following:

  • foobar
  • 12345
  • 11111
  • aaaaa
  • the first 5 characters of my bank card number (which is the username when one logs in, and is common to many TD customers).

Obviously I’ve changed the password to one which is as secure as I can make it given their crappy constraints, but it really angers me that I’m paying through the fees I pay them for this kind of asinine security policy.  It almost makes me want to go through the hassle of switching banks… but I’m sure the others all have similar issues on one level or another.

Some days, though, this industry just makes me want to set things on fire – today is one of those days.


CSC491 – Second Milestone

Not quite as far along as I want to be, but definitely getting there.  Refreshed my rpm and general sysadminning memories in the process.  Still a lot to get done to have anything interesting…

A bit of background is in order to understand what I’ve been up to.  I’ve been working this week on getting the hang of working with the Planet-Lab infrastructure, and can mostly find my way around it manually now.  I haven’t figured out how to automate the interactions with it in the way that will be needed for this project, but it’s a start.

Planet-Lab is a network of computers around the world which researchers can obtain access to (eventually).  As a user, one gets a “slice”, which as far as I can tell is just a project-specific username.  The user can assign virtual machines on the “nodes”, which are the actual machines.  Users have limited root access on the nodes, and can install software, set up cron jobs (scheduled tasks), and run scripts.

So where has this gotten me? Well, read on….

Continue reading “CSC491 – Second Milestone”